Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Lisandro Damián Nicanor Pérez Meyer]

On viernes, 7 de octubre de 2016 4:56:03 P. M. ART Daniel Kahn Gillmor wrote:
[snip] 
> > And also: yes, -fPIE needs overriding if using hardening flags.
> 
> can you explain that in more detail?  what specifically should be
> overridden and where?

Sure. Hardening adds -fPIE to CFLAGS/CXXFLAGS, so you either need to remove it 
from there with

  CXXFLAGS -= -fPIE # Untested, but should work

or simply not enabling all hardening features:



Just use -pie there.

I wonder what +all,-pie would do there.

-- 
porque no respeta el orden natural en el que se leen las cosas
>¿por qué top-posting es tan molesto?
>>top-posting
>>>¿cuál es la peor molestia en los emails de respuesta?

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Sandro Knauß]

Hey,

> >> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
> >> and is needed to get the code working with Qt 5.4.2+.
> > 
> > And also: yes, -fPIE needs overriding if using hardening flags.
> 
> can you explain that in more detail?  what specifically should be
> overridden and where?

Yes, this is exactly also my questions, because I'm puzzeld with all these 
buildflags...

regards,

sandro

-- 
Ich habe meinen Schlüssel gewechselt / I've switched my GnuPG key:
http://sandroknauss.de/files/transition2015.asc

Mein (neuer) öffentlicher Schlüssel / My (new) public key: E68031D299A6527C 
Fingerabdruck / Fingerprint:
D256 4951 1272 8840 BB5E  99F2 E680 31D2 99A6 527C 
Runterladen z.B. bei/ Get it e.g. here:
pool.sks-keyservers.net, ...

signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: kmail CVEs and patches

[Sandro Knauß]

Hey,
 
> I tried to backport the CVE-2016-7966 fix commit to kf 5.26 and it didn't
> apply cleanly, it would be nice if the advisory includes the list of the
> commits to backport, or maybe a new 5.26.1 kcoreaddons bugfix release.

Yes another patch is missing there - I already informed them and hopefully 
they will update the infos. I also asked if they will ship a updated 5.26 
version.

> About: https://www.kde.org/info/security/advisory-20161006-3.txt
> 
> Via irc you mentioned that non qtwebengine versions are affected by this as
> well, that contradict the versions listed in the advisory message. As you
> know, we are currently using qt 5.6 and messagelib from 16.04, which set of
> patches should we include?

No I misread the CVE. There is nothing to do here.

Regards,

sandro


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Daniel Kahn Gillmor]

On Fri 2016-10-07 16:33:20 -0400, Lisandro Damián Nicanor Pérez Meyer wrote:
> On viernes, 7 de octubre de 2016 6:35:00 P. M. ART Dmitry Shachnev wrote:
>> On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
>> > I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
>> > years and i confess i've never completely understood the differences or
>> > whether one is "stronger" than another.
>> > 
>> > gcc says of -fPIE and -fpic "generated position independent code can be
>> > only linked into executables." which makes it seem odd that these
>> > parameters would be passed through to building libraries in the first
>> > place.
>> 
>> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
>> and is needed to get the code working with Qt 5.4.2+.
>
> And also: yes, -fPIE needs overriding if using hardening flags.

can you explain that in more detail?  what specifically should be
overridden and where?

thanks,

   --dkg

-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Sandro Knauß]

Hey,

> I'm not entirely sure what to do about the name of the library during
> this handoff -- it might drop the "kf5" prefix.  If we don't drop the
> "kf5" prefix, i suppose we'll need an epoch number in the package
> version to make sure that upgrades happen.  It's also possible that
> we'll need to do a similar thing with qgpgme, i guess.

the libs gpgme installs are without the kf5 prefix, so we have should also name 
the package like the libs without kf5 prefix. So we don't end up in having the 
same package names, what makes the life easier for the transition :)

I'll hope I will finish the build of c++/qt bindings the next days and will 
publish them at a private clone of the debian repo, so dkg can check my 
changes before pulling them in. Just to make sure, I don't break your workflow.

Regards,

sandro

signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Lisandro Damián Nicanor Pérez Meyer]

On viernes, 7 de octubre de 2016 6:35:00 P. M. ART Dmitry Shachnev wrote:
> On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
> > I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
> > years and i confess i've never completely understood the differences or
> > whether one is "stronger" than another.
> > 
> > gcc says of -fPIE and -fpic "generated position independent code can be
> > only linked into executables." which makes it seem odd that these
> > parameters would be passed through to building libraries in the first
> > place.
> 
> -PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
> and is needed to get the code working with Qt 5.4.2+.

And also: yes, -fPIE needs overriding if using hardening flags.

-- 
Sobre Argentina: "sé que es uno de los países mas hospitalarios del mundo"
 Albert Einstein

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: [d...@fifthhorseman.net: Re: gpgme 1.7.0~ alpha or beta to debian experimental?]

[Daniel Kahn Gillmor]

¡Hola Maximiliano!

On Fri 2016-10-07 09:45:25 -0400, Maximiliano Curia wrote:
> Yes, sorry for not replying sooner. We are not planning to upload a new 
> version of gpgmepp (we are currently skipping 16.08 and upstream is 
> apparently 
> dropping gpgmepp for 16.12).

ok, cool.  so then taking it over with the gpgme1.0 source package
should be OK.

I'm not entirely sure what to do about the name of the library during
this handoff -- it might drop the "kf5" prefix.  If we don't drop the
"kf5" prefix, i suppose we'll need an epoch number in the package
version to make sure that upgrades happen.  It's also possible that
we'll need to do a similar thing with qgpgme, i guess.

thanks for the reply,

  --dkg


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Dmitry Shachnev]

On Fri, 07 Oct 2016 08:54:53 -0400, Daniel Kahn Gillmor wrote:
> I've been reading about -fPIC and -fpic and -fPIE and -fpie and -pie for
> years and i confess i've never completely understood the differences or
> whether one is "stronger" than another.
>
> gcc says of -fPIE and -fpic "generated position independent code can be
> only linked into executables." which makes it seem odd that these
> parameters would be passed through to building libraries in the first
> place.

-PIC implies -fPIE. Replacing -fPIE with -fPIC is the right thing to do,
and is needed to get the code working with Qt 5.4.2+.

--
Dmitry Shachnev


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Re: gpgme 1.7.0~ alpha or beta to debian experimental?

[Maximiliano Curia]

(resending on list)

Qt and KDE libs are built with -fPIC, which, afaik, is stronger and 
incompatible with -fPIE, would it be an option to use -fPIC for gpgme?

On October 7, 2016 3:48:39 AM GMT+02:00, Daniel Kahn Gillmor 
 wrote:
> On Thu 2016-10-06 19:51:57 -0400, Sandro Knauß wrote:
>
>> I now started to build cpp and qt bindings for gpgme but ran into a 
>> issue with the hardening flags. The problem is the -fPIE. With this 
>> enabled configure stops with:
>
> fwiw, I'm seeing a similar issue with hardening flags and the python 
> bindings -- they're getting in the way of building with swig.
>
> If you're up for the gpgme1.0 source pakage taking over the cpp and qt 
> binary packages, i'd be willing to consider dropping the hardening 
> flags 
> for now just to make sure they can be built properly from the same 
> source.
>
> If the QT/KDE folks have a proposal for how to fix it later, i'd be 
> happy to fix it subsequently as well.
>
> what do you think?
>
> --dkg


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

kmail CVEs and patches

[Maximiliano Curia]

Hi,

About: https://www.kde.org/info/security/advisory-20161006-1.txt

I tried to backport the CVE-2016-7966 fix commit to kf 5.26 and it didn't 
apply cleanly, it would be nice if the advisory includes the list of the 
commits to backport, or maybe a new 5.26.1 kcoreaddons bugfix release.


About: https://www.kde.org/info/security/advisory-20161006-3.txt

Via irc you mentioned that non qtwebengine versions are affected by this as 
well, that contradict the versions listed in the advisory message. As you 
know, we are currently using qt 5.6 and messagelib from 16.04, which set of 
patches should we include?


Happy hacking,
--
"It is practically impossible to teach good programming to students that have
had a prior exposure to BASIC: as potential programmers they are mentally
mutilated beyond hope of regeneration."
-- Edsger W. Dijkstra
Saludos /\/\ /\ >< `/


signature.asc
Description: PGP signature
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk